[keycloak-dev] Keycloak in Tomcat server

Bill Burke bburke at redhat.com
Mon Nov 30 21:45:58 EST 2015 


On 11/30/2015 8:56 PM, Adam Young wrote:
> On 11/30/2015 05:24 PM, Bill Burke wrote:
>> Infinispan (caching), JPA, datasources, servlet, JAX-RS.  Wildfly/JBoss
>> is also set to run out of the box in a cluster and managable in a domain
>> ( a cluster) out of the box.  Not to mention all the classloader
>> isolation you DO NOT get with Tomcat.  Finally all the built in patch
>> management that comes with Wildfly/JBoss.  Then there's developers that
>> will want to deploy integration/extension plugins.  We can also leverage
>> Wildfly's deployment engine for that too.
>>
>> Running Keycloak Auth Server in Tomcat/Jetty would actually not be a
>> very smart thing to do.  There are huge advantages to running within
>> Wildfly/JBoss.  The only disadvantage is the size of the distro.  There
>> is no performance penalty.
>
>
> In order to deploy Keycloak as a partner to FreeIPA, it needs to be
> managed in the same manner as FreeIPA.
>

While we do have somebody working on FreeIPA integration, we won't be 
rearchitecting our whole deployment strategy just to "partner" with Free 
IPA.  Especially considering we've had ZERO inquiries for FreeIPA 
integration.

> They are two different deployment strategies, with different management
> tooling around each.  Dogtag is an example of Tomcat only based
> deployment that is managed via RPMs, with a specially hardened Tomcat
> container that is necessary to pass Common Criteria and FIPS 140
> certifications;  making those changes to JBoss would be awesome, but
> perhaps far more of an engineering effort than any of us care to make.
>

I'm not sure you are correct of your assessment of JBoss.  It has been 
in the product line for 9+ years now.  I think it may have already 
passed Common Criteria years ago.  I know it was something they were 
aiming for back in 2007-2008.


To put it bluntly, getting Keycloak running on Tomcat is not an 
engineering effort that any of us on Keycloak care to make :)  I see 
ZERO technical advantages and it is just not how we want our userbase 
consuming Keycloak.  We will not be supporting it in product.  Feel free 
to take it up with our PM if you feel so strongly about it.  But I feel 
equally as strong that deploying on Tomcat is a bad idea.

> I am personally a fan of JBoss based deployments, but a Tomcat only is
> more practical from a Fedora and CentOS starting point.
>

I honestly do not care how practical Tomcat-only is for Fedora or 
CentOS.  It is more important to solve customer's technical needs than 
the needs of the fedora community.  We *have* managed to build a very 
robust community without being distributed by Fedora.  About 3000-4000 
downloads per month with a strong backlog of customers asking for 
support.  A large amount of these users don't even run on Linux.

> We see this same issue come up with all of the language specific package
> and patch managers.  We can't deploy Python code from PIP, Ruby via
> Gems, or Perl from CPAN;  they all get packaged first.  The extra work
> ensures that nothing binary-only sneaks in, that all licenses get
> reviewed, and that someone from outside the team reviews the packaging
> to ensure it meets distribution standards.
>

You do know that JBoss has been in the product line for 9+ years now? 
And Keycloak will be piggybacking off of the JBoss productization process?

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list